Critical Vulnerability in ColdFusion Addressed as Adobe Releases Another Key Patch

July 17, 2023

Adobe has released patches for a critical vulnerability in its ColdFusion software that could be exploited to execute arbitrary code. The vulnerability, known as CVE-2023-38203, has a CVSS score of 9.8 and is characterized as 'deserialization of untrusted data' in ColdFusion versions 2023, 2021, and 2018. This type of vulnerability generally allows an attacker to provide specially designed data that can trigger the arbitrary code execution, potentially leading to a full system compromise. Adobe has noted that a proof-of-concept blog for this vulnerability has been published online.

The company announced on Friday that the issue had been addressed with the release of updates for ColdFusion 2023, 2021, and 2018. The patches for CVE-2023-38203 were released just days after Adobe addressed another critical 'deserialization of untrusted data' bug in ColdFusion, identified as CVE-2023-29300, also with a CVSS score of 9.8.

The Zero Day Initiative's Dustin Childs has reported that the first attacks targeting CVE-2023-29300 have already been observed in the wild. His statement was, 'Adobe released another update for ColdFusion today and note CVE-2023-38203 had been publicly disclosed. They also now say CVE-2023-29300 (patched Tues.) has active attacks in the wild.'

Given these developments, users of ColdFusion are strongly recommended to install the latest security updates as soon as they can to protect their systems from potential attacks.

Latest News

• Critical Vulnerability Detected in Cisco SD-WAN vManage Software
• Zimbra Calls for Manual Patching of Actively Exploited Zero-Day Vulnerability
• BlackLotus UEFI Malware Source Code Leaked on GitHub
• Critical Vulnerabilities Discovered in Honeywell Industrial Control Systems
• Critical Security Flaws Patched in SonicWall's GMS and Analytics Products